|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] How to convert Single Gateway to Distributed config?
You can't split the management off of a Single Gateway firewall -- the license is for "management of a single enforcement point." An upgrade is needed if you have a single gateway for 25- to 250-users. If, however, you have an Enterprise Center (unlimited-users, mgmt, with or without encryption license), you may do this. But you have to visit the CheckPoint Licensing Center to migrate the license. You need the original Cert Key, the IP address of the firewall, and the IP address of the MANAGEMENT CONSOLE. So, you must split the license before you can split the installation. If there is any doubt, do an FW PRINTLIC to verify the features. If you have v4.1 (2000), then you will find your Cert Key in the output "CK-x yyyy zzzz" Dave Gianna, MS, CCSE, CCSI, NSA, ACE/ADM Technical Sales Engineer Security Technologies GroupWestcon, Inc. <http://www.westcon.com/online/> 520 White Plains Road Tarrytown, NY 10591 ==================================================== "Sing bird of prey, Beauty begins at the foot of you Do you believe the manner? Cold stainless nail, Torn through the distance of man As they regard the summit ..." -- Jon Anderson/Yes ==================================================== |--------+----------------------------------> | | Richard Marshall | | | <richard.marshall@NETDOC| | | TOR.CO.UK> | | | | | | 10/22/01 08:59 AM | | | Please respond to | | | Mailing list for | | | discussion of Firewall-1| | | | |--------+----------------------------------> >----------------------------------------------------------------------------| | | | To: [email protected] | | cc: (bcc: David Gianna/Westchester/Westcon/US/WestconGroup) | | Subject: Re: [FW-1] How to convert Single Gateway to Distributed | | config? | >----------------------------------------------------------------------------| Hi, I used to have a similar problem (though not caused by splitting the managment off). Even though the control.maps looked the same it turned out that the formatting of the files was affecting them. I seem to remember that i tried to use a control.map created on IPSO on an NT machine and it completly threw it, but on the IPSO it was fine. hope this is of some help. rich -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Nico De Ranter Sent: 22 October 2001 12:29 To: [email protected] Subject: [FW-1] How to convert Single Gateway to Distributed config? Hi, I have a firewall running as "single gateway" on Solaris (sparc). I will need to manage a second firewall so I prefer to split the management module to a separate machine. According to the VPN-1/FW-1 administration Guide (p.71) this should be possible by either reinstalling the firewall as "distributed setup" or "alternatively, you can creconfigure by manually modifying $FWDIR/conf/master...". Since reinstalling the firewall will mean too much downtime, I tried the second solution. After doing an "fw putkey" on both machines and restarting the management module I get the following output when trying to restart the firewall: ------------------ FireWall-1: Starting fwd FireWall-1: Starting fwm (Remote Management Server) FireWall-1: Fetching Security Policy from 192.168.1.1 10.1.1.1 localhost Trying to fetch Security Policy from 192.168.1.1: FW: Received new control security key from 192.168.1.1 Authentication for command fetch failed Fetching Security Policy from 192.168.1.1 failed Trying to fetch Security Policy from 10.1.1.1: Installing Security Policy policy on all.all@charon Fetching Security Policy from 10.1.1.1 succeeded FireWall-1: Starting cpmad (Malicious Activity Detection) FireWall-1 started ----------------- Apparently the firewall can reach the management server but I always get "Authentication for command fetch failed". (Note: I checked lib/control.map on both machines, both contain the same encryption schemes, both servers run the same version of the firewall with the same encryption options) Any suggestions? Anybody done this before? Thanks in advance, Nico --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [email protected] =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
